information governance strategy - nhs gateshead · 2018. 11. 19. · information governance...

Information Governance Strategy v4 1

Policy No: IG01

Version: 4.0

Name of Policy: Information Governance Strategy

Effective From: 30/06/2016

Date Ratified 09/02/2016

Ratified Health Informatics Assurance Group (HIAG)

Review Date 01/02/2018

Sponsor Director of Finance and Information

Expiry date 08/08/2019

Withdrawn Date

Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that

this is the most up to date version.

This strategy supersedes all previous issues.


Version Control

Version Release Author /

Reviewer

Ratified by /

Authorised by

Date Changes

(Please identify

page no.)

1.0

Jan 2012 Kevin Craddock

– IG Lead

Health

Informatics

Assurance

Committee (HIAC)

Jan 2012

2.0 Jan 2013 Lauren Hamill –

IG Lead

Health

Informatics

Assurance

Committee (HIAC)

Jan 2013 Document re-

formatted to comply

with Trust standards

3.0 March 2015 Marie. Galloway

– Information

Governance

Lead

Health

Informatics

Assurance Group

(HIAG)

March 2015 Document re-

formatted to comply

with Trusts IGTK

standards

4.0 30/06/2016 Marie. Galloway

– Information

Governance

Lead

Health

Informatics

Assurance Group

(HIAG)

09/02/2016 Amendments made

to account for the

reconvened Records

Management Group

in Oct 2015 and

changes to the

structure diagrams

in appendices 1 and

2


Contents

Page No.

1. Introduction .................................................................................................................................. 4

2. Strategy scope .............................................................................................................................. 4

3. Aim of strategy ............................................................................................................................. 4

4. Duties - roles and responsibilities ................................................................................................ 4

5. not used ........................................................................................................................................ 6

6. Information Governance strategy ................................................................................................ 7

6.1 NHS framework .................................................................................................................. 7

6.2. Objectives of the strategy .................................................................................................. 7

6.3 Principles of the strategy .................................................................................................. 9

6.4 Staff and resources ............................................................................................................ 10

6.5 Management board structure ........................................................................................... 10

6.6 Working groups .................................................................................................................. 10

6.7 The Information Governance Toolkit ................................................................................. 11

6.8 The Information Governance programme deliverables .................................................... 11

6.8.1 The IG policy framework ........................................................................................... 12

6.8.2 The annual work plan ............................................................................................... 12

6.8.3 Contracts ................................................................................................................... 13

6.8.4 Information risk management programme .............................................................. 13

6.8.5 Projects – procurement of systems / change management processes .................... 16

6.8.5.1 Privacy impact assessments………….. ........................................................... 16

6.8.5.2 IT/IG risk assessment…………………….. ........................................................... 16

6.8.6 Integrated working ................................................................................................... 16

6.8.7 Research .................................................................................................................... 17

6.8.8 Information requests ................................................................................................ 17

6.8.9 Management of records ........................................................................................... 17

6.8.10 The management and reporting of security incidents ........................................... 17

6.8.11 Staff training ........................................................................................................... 18

6.8.11.1 E-learning training……………………….. ........................................................... 19

6.8.11.2 Specialist training ………………………… .......................................................... 19

6.8.11.3 Bespoke or departmental training……………………….. .................................. 19

6.8.11.4 The training needs analysis (TNA) matrix………………………… ...................... 20

6.9 Staff disciplinary ................................................................................................................. 20

7. Training ......................................................................................................................................... 20

8. Equality and diversity ................................................................................................................... 20

9. Monitoring the compliance / effectiveness of this strategy ........................................................ 20

10. Consultation and review of this strategy ..................................................................................... 21

11. Implementation of this policy ...................................................................................................... 21

12. References .................................................................................................................................... 21

13. Associated documentation ........................................................................................................... 21


Appendix 1 Roles and accountability structure ............................................................................ 23

Appendix 2 Committee / group structure .................................................................................... 24

Appendix 3 Terms of reference for the HIAG ............................................................................... 25

Appendix 3a Membership of the HIAG ........................................................................................ 28

Appendix 4 Information Governance Toolkit controls summary ................................................. 29

Appendix 5 The policy and procedure IG framework................................................................... 31

Appendix 6 The Information Governance work plan ................................................................... 33

Appendix 7 The Trust’s IG specialist training programme ........................................................... 35


1. Introduction

Information is a vital asset for any organisation. Our information assets at Gateshead Health NHS

Trust support both the day to day clinical operations and the effective management of our services

and resources. As a provider of health, the Trust is responsible for ensuring that any information

collated is handled and protected securely, whilst always being available at any one time when

needed to ensure the safety and effective care of our patients.

Information Governance provides a secure mechanism for the handling of all types of information

in relation to patients, employees and clients who conduct business with the Trust. It is therefore

critical that the information we hold across the Trust’s business activities is accurate, free from

unauthorised disclosures and is available in a timely manner to aid effective decision making when

needed. Effective information plays a key part in corporate and clinical governance, strategic risk,

service planning and performance management.

2. Strategy scope

This Strategy applies to:-

• Any individual employed, in any capacity, by the Trust including employees, students,

volunteers and third party contractors;

• All paper and electronic information;

• All information systems and information assets managed by or used by the organisation.

For the purpose of this Strategy the term “information asset” will refer to any useful or valuable

store of information in any format, which is processed, held or potentially requires a facility of

transfer.

3. Aim of strategy

This Strategy sets out the Trust’s information governance assurance framework for the handling of

information. It brings together a set of statutory, mandatory and best practice standards as road

mapped in the information governance toolkit. It provides a robust information governance

framework of clear and effective management and accountability structures, governance

processes, documented policies and procedures, trained staff and adequate resources which are

required to ensure any information sourced by the Trust is held appropriately, securely and legally.

By adhering to these requirements, standards and best practice for the processing of personal data

it will help the Trust to:-

• Provide excellent care to our patients;

• Comply with the law;

• Implement the DoH guidelines and standards;

• Plan year on year improvements in the information governance agenda;

• Fulfill the IG Toolkit requirements;

• Provide assurance against international standards such as the ISO 15489 Records

Management Standard and the ISO 27001/27002 Information Security Standard.

4. Duties – roles and responsibilities

Trust Board

The Trust Board will define the requirements of the Information Governance Strategy, taking into

account the legal principles and NHS framework standards. The Board will ensure sufficient

resources are provided to support the requirements of this Strategy.


Chief Executive Officer (CEO)

The Chief Executive has overall accountability and responsibility for Trust’s information governance

agenda and will provide assurance through the Statement of Internal Control that all risks, including

those relating to information risks are effectively managed and mitigated, where appropriate. The

CEO will ensure all statutory obligations and any Department of Health Directives are complied

with.

Senior Information Risk Officer (SIRO)

The Director of Finance and Informatics, who is an appointed Executive Director on the Board, is

the Trust’s appointed Senior Information Risk Owner (SIRO) responsible for all aspects of IG and

Information Security. This task has been appointed to the Deputy Director of Informatics.

Caldicott Guardian (Medical Director)

The Medical Director who is the Trust’s appointed Caldicott Guardian will act in a strategic, advisory

and facilitative capacity to provide assurance on all clinical, confidentiality and data sharing

matters. The Caldicott Guardian will approve, monitor and review processes where access to

clinical information is required by other Trust departments and third party organisations, both NHS

and non-NHS. The Caldicott function will be managed through an action plan/ gap analysis for the

IG toolkit.

Information Governance Lead

The Information Governance Lead will provide operational management of the Trust’s Information

Governance framework. The IG Lead will:-

• Provide strategic direction, planning and guidance to ensure compliance with information

governance legislation and the national agenda;

• Ensure work practices are evaluated and supported through the development of

appropriate policy and procedures across the organisation;

• Develop an appropriate IG induction and mandatory programme for all staff;

• Monitor all actual and near miss security incidents within the organisation;

• Complete the Department of Health’s annual IGTK self-assessment and submission in a

timely manner;

• Assist the IT Directory and Security Manager with all IG/IT related matters as and when

necessary.

IT Directory and Security Manager

The Trust’s IT Directory and Security Manager will:-

• Provide IT technical advice on all matters relating to IT security for compliance with the

Information Governance Framework;

• Assist with all reported IG and IT security incidents as and when necessary.

Head of Informatics, Programmes & Projects

The Head of Informatics, Programmes and Projects will work with the IG Team to ensure all new IT

systems and processes are identified and all relevant privacy impact assessments are conducted to

ensure the implementation of any new technology does not give rise to any privacy concerns.

Health Records Manager

The Trust’s Health Records Manager will take full responsibility for:-

• The management of all health records; and

• The undertaken of the Trust’s annual corporate/health record audit programme.


Information Asset Owners (IAOs)

The Trust’s appointed Information Asset Owners (IAOs) will support the Information Governance

Lead to ensure all information assets are assigned appropriate ownership. The IAOs are

accountable to the SIRO and will report any information risks to the IG Lead/SIRO to ensure all

information risks are managed effectively for those information assets which they are assigned

ownership. Each IAO will be required:-

• To foster a culture that values the protection and use of information assets;

• Know who has access to their information assets (whether it be paper or electronic) and be

able to demonstrate that access is routinely monitored and reviewed;

• Justify the nature and justification of their information flows to and from the Trust’s

information assets;

• Provide assurance to the SIRO that all risks are monitored through the application of annual

risk assessments.

Information Asset Administrators (IAAs)

The Trust’s appointed Information Asset Administrators (IAAs) will assist the IAOs in their day to

day duties and consult with the IAOs on incident management. This will generally be the nominated

team managers, supervisors or system administrators who manage the information assets and

system processes at a local level. All IAAs will need to ensure:-

• Systems and assets are configured with appropriate controls and are reviewed regularly for

compliance with the Trusts security policy requirements;

• Ensuring appropriate authority is provided before user access is granted;

• Ensure user accounts to systems are deleted as and when necessary.

Managers

All service managers will ensure:-

• They take responsibility for the implementation of appropriate IG standards in local

processes for compliance purposes;

• Job descriptions contain appropriate confidentiality and information security clauses;

• Staff undertake mandatory IG training on an annual basis, including any ongoing training

needs that may affect the Trusts practices;

• Day to day responsibility for their physical environment where information is stored and

processed.

Communication Team

The Communication Team will liaise with all stakeholders to ensure appropriate messages relating

to information governance are communicated.

All Staff

All staff will have adequate IG training in their dedicated area to enable them to carry out their

roles and responsibilities.

Third Parties/Contractors

Appropriate contracts containing confidentiality and information security clauses will be issued and

honoured by all contractors and third parties who have been given rights of access to our

information assets.

(For further information please refer to the Roles and Accountability Structure in Appendix 1).

5. not used


6. Information Governance strategy

6.1 NHS framework

The NHS Operating Framework sets out the Trusts approach to Information Governance.

The main legal framework governing the use of personal data includes:-

• The Data Protection Act 1998;

• The Freedom of Information Act 2000;

• The Environmental Information Regulations 2004;

• The NHS Act 2006;

• The Health and Social Care Act 2012;

• The Human Rights Act 1998;

• Re-Use of Public Sector Information Regulations 2005

• The Misuse of Computers Act 1990;

• Copyright, Designs and Patents Act 1988 (as amended by the Copyright Regulations

• 1992);

• Privacy Electronic Communications Act 2003;

• Protection of Freedoms Act 2012.

Codes of Practice:

• The NHS Confidentiality Code of Practice;

• The Caldicott Principles;

• NHS Records Management Code of Practice;

• Lord Chancellor’s Code of Practice on Records Management under 46 of the

Freedom of Information Act 2000;

• Information Security Management: NHS Code of Practice.

The framework pursued by this Strategy will implement the six themes of the IG Toolkit.

• Information Governance (management, accountability, training);

• Confidentiality and Data Protection (use of personal data);

• Information Security;

• Clinical Information Assurance;

• Secondary Use Assurance of Information (data quality, non-direct use of clinical

information);

• Corporate Information Assurance (records management, freedom of information

etc.).

6.2. Objectives of the strategy

The Trust’s key objective of this Strategy is to achieve a standard of excellence in

information governance. Through the implementation of this Strategy, the Trust aims to:-

• Establish and maintain policies and procedures in Data Protection and

Confidentiality, Freedom of Information, Information Security and Data Quality

that defines appropriate standards for the handling of personal and corporate data.

This will lead to improvements in:-

o Information handling activities;

o Record duplication and improved records management;


o Patient confidence in the Trust and the NHS;

o Better trained staff.

• Undertake or commission annual assessments and audits of its policies and

arrangements to improve current working practices. This will minimise corporate

risks arising from poor handing activities such as:-

o Increased information security incidents;

o Corporate/patient complaints;

o Patient harm caused by inadequate access to patient information;

o Corporate and clinical negligence claims;

o Audit investigations and monetary fines from the ICO and other public

bodies;

o Negative press and publicity;

o Damage and stress to individuals involved in data breaches;

• Complete the annual information governance toolkit to a level 3 compliance target,

wherever possible, for the next three years.

• Develop an annual IG Improvement Plan and Action Plan arising from the baseline

assessment completed against the IG standards set out in the HSCIC Information

Governance Toolkit. This will be the vehicle used for improving information

governance at the Trust.

• Instill a culture of information governance so that all staff understand their IG

responsibilities and apply best practice and principles when managing data. This

will involve the promotion of effective information governance communication and

training to raise awareness of key security issues in the Trust.

• Develop an information risk management reporting structure to ensure all

associated information risks in the environment are appropriately managed to

support the overall risk management function of the Trust.

• Ensure there is a clear structure and framework for reporting security incidents and

management action in response to all IG requirements. The Trust will foster a

culture of change from documented lessons learnt in response to data breaches.

This will be in accordance with the Trust’s Information Risk Policy, Incident

Management Policy and The Reporting of Serious IG/Cyber Incidents Policy.

• Provide innovative solutions and streamline business processes and systems for the

handling of personal data. It is anticipated this will reduce the number of systems

that hold personal data.

• Encourage multi-disciplinary teams to work closely together to reduce repetitive

working practices by sharing information and standardising procedures and

practices.

• Encourage a culture of openness and transparency by making non-confidential

information readily and easily available through a variety of media, in line with the

Trust’s Publication Scheme. This will build positive relations with our internal and

external clients by providing an efficient and reliable service in all IG matters.

o Clear advice and guidance will be made available via the Trust’s internet to

explain how service users can exploit their legal rights for access to


information and how they can raise concerns if they are dissatisfied with

any processing requirements;

o Information will be made available in various formats, subject to a range of

exemptions and restrictions, in response to Subject Access Requests under

the Data Protection Act 1998, FOI requests under the Freedom of

Information Act 2000 and EIR requests under the Environmental

Information Regulations;

o The Trust will publish a fair processing notice via its website to explain how

information is recorded, held and shared;

o Patients will be made aware of the importance of providing accurate and

up to date information about themselves to the Trust so that appropriate

care can be given to them as and when necessary. This will allow the

Trust’s resources to be utilised adequately.

• Ensure all key service data is accurately recorded and maintained, with regular

cross-checking against source data undertaken. Data standards/definitions used

will be clear and consistent per data item in accordance with national standards.

• To regard all personal identifiable data (PID) relating to service users as confidential

except where national policy on accountability and openness requires otherwise.

Any appropriate sharing of information will take account of relevant legislation

such as the Human Rights Act, the Health and Social Care Act, The Crime and

Disorder Act, The Protection of Children Act, the revised Caldicott Principles etc.

and the Common Duty of Confidentiality and its associated guidance.

6.3 Principles of the strategy

The Trust will adopt the Department of Health standards (called the “HORUS Model”),

which requires information to be:-

• Held securely and confidentially;

• Obtained fairly and efficiently;

• Recorded accurately and reliably;

• Used effectively and ethically;

• Shared appropriately and lawfully;

The IG Strategy will take account of the Trust’s Vision and Compact Values when managing

personal data.

The implementation of this Strategy will:-

• Help staff to manage personal information for the benefit of our clients and

patients care;

• Ensure that all practices and procedures relating to the handling and holding of

personal and Trust corporate data is legal and conforms to best and/or

recommended practice. This means the Trust will ensure that its principles of

corporate governance and public accountability do not override any security

arrangements or any duty of confidentiality owed in safeguarding personal

information about service users, families, carers and staff or commercially sensitive

information from our clients. Where appropriate a balance will be addressed

between openness and confidentiality in the management and use of information;

• Where information needs to be shared with our partner organisations (particularly

health organisations) then this will be done in a controlled manner that is


consistent with the interests of the service users or clients unless the public

interest test affects our decision making processes and disclosure requirements;

• Ensure procedures are reviewed to monitor their effectiveness so that

improvements or deterioration in information handling standards are recognised

and addressed immediately;

• Ensure that when service developments or modifications are undertaken, a review

is undertaken of all aspects of information governance arrangements to ensure

they are robust, do not infringe on privacy rights and support effective patient care.

6.4 Staff and resources

See paragraph 4 above.

Other staff roles that will support the Trust’s IG Strategy include:-

• Risk Management – Risk Manager

• Legal Services – Legal Services Manager

• Human Resources – HR Manager (staff training/employment contracts)

• Registration Authority – RA Officer (i.e. Smartcard provisions/access controls)

• Head of Safecare (for the roll out of the Clinical Audit programme)

• Clinical Coding Manager (for the roll out of the Clinical Coding Audit Programme)

• Information Manager

QEF staff will provide the following roles:-

• Business Continuity – Business Continuity Manager

• Procurement – Procurement Manager

6.5 Management board structure

The Health Information Assurance Group (HIAG) is the delegated steering group appointed

to oversee the implementation of this Strategy. The group will:-

• Monitor the effectiveness of this Strategy at its monthly meetings to identify

potential gaps and weaknesses in the Trust’s IG accountability arrangements to

ensure the organisation is aligned to best practice and national guidelines;

• Agree an annual IG improvement work plan for review and sign off;

• Identify resource implications for each IG work stream;

• Monitor all quarter and progress reports and action plans;

• Report on serious security incidents and issues to the HIAG and Trust Board. (All

serious incidents will be published and reported via the HSCIC and the ICO);

• Ensure the accurate completion, review and sign off of the DoH Information

Governance Toolkit.

All reports are reported to other committees on an adhoc basis, as and when required. A

summary of the Trusts Committees that support the IG agenda is stipulated in Appendix 2.

Annual membership of the HIAG is stipulated in the Terms of Reference in Appendix 3.

6.6 Working groups

Three working groups will report into the HIAG focusing on the current IG and CQC

arrangements in their respective areas:-

• Records Management Group;


• Data Quality and Secondary Use Group;

• Systems Management and Development Group;

The above groups convene on a bi-monthly basis and will present highlighted reports and

action plans to the HIAG, as and when necessary.

The Gateshead Information Network (GIN) will ensure the smooth operation of our

integrated services with other NHS bodies and agencies.

6.7 The Information Governance Toolkit

The Department of Health’s IGTK requires all NHS organisations in England Wales to

achieve a minimum level 2 compliance performance rating against all 45 IG standards. This

mandatory online assessment is used as a key source of information by other organisations

such as the Healthcare Commission and CQC for compliance auditing purposes.

The Trust is very ambitious and will aim to achieve a level 3 compliance rating and a grading

score of over 80%, wherever possible over the next three year period. A framework of

assurance will be allocated to appropriate information asset holders so that the co-

ordination of evidence is in place.

The Trust will submit its online IG performance reports on three separate core submission

dates:-

• 30th July - baseline assessment;

• 31 October - self assessment or improvement plan;

• 31 March – final annual self-assessment report.

All IGTK scores will be verified by the annual Internal Audit review and reported in the End

of Year IGTK Assurance Report and the Annual IG Report to the HIAG and the Trust Board,

along with any action plans necessary to remedy any IG failures.

Note: New versions of the IG Toolkit are released annually and set requirements may

change to reflect current and new standards. This means that the Trust will have to

provide additional evidence to support the changes in order to maintain the score

achieved from the previous year. (Please refer to Appendix 4 for a summary of the IG

Toolkit controls)

6.8 The Information Governance programme deliverables

The Trust will establish a robust information governance programme of deliverables which

conforms to the Department of Health’s IG Toolkit standards and objectives.


Table 1: The Information Governance Deliverables

6.8.1 The IG policy framework

Existing policies will be developed and updated every two years and will be

approved in principle by the Director of Finance and Informatics before ratification

by the HIAG Group. All policies will be made available via the staff intranet and

through staff communication emails and newsletters. (Please refer to Appendix 5

for a summary of the Trust’s policies and procedures that support the Trust’s IG

agenda).

Employees will be expected to read the policies in conjunction with their

employment contracts and the IG Staff Handbook (available via the staff intranet).

The policies outline the scope of the IG framework and set out the responsibilities

of all staff in the Trust. The Trust will ensure staff familiarise themselves with these

policies through its IG Staff Training Strategy and the Training and Communication

Plan to ensure they understand what is expected of them.

6.8.2 The annual work plan

An annual IG Improvement Plan arising from the baseline assessment of the IGTK

standards will be developed each year. The work plan will be updated quarterly

follow any progress reports and IGTK submissions. (Please refer to Appendix 6).


6.8.3 Contracts

All employment contracts entered into by the Trust will ensure they contain

appropriate IG confidentiality clauses that reference the organisation’s legal

obligations in terms of confidentiality, data protection, freedom of information and

data security. For casual staff the confidentiality agreement for third party

suppliers/individuals will be signed.

All third party contractors of goods and services or consultancy will have an

appropriate contract detailing the information governance requirements. The

contract will contain confidentiality clauses and an undertaking that any

information exchanged or obtained during the performance of a contract is kept

confidential and shall only be used for the sole execution of a contract. All parties

involved will take necessary precaution to ensure that information is kept secure.

This process will be managed by the Head of Procurement. Where a third party

requests access for the sharing of patient identifiable information, an information

risk assessment will be undertaken before granted.

6.8.4 Information risk management programme

To appropriately scope and prioritise the information risks of the Trust the IG Team

will develop an annual information risk management programme to determine

how its information is used and protected through:-

• A series of audits e.g. the corporate/clinical record audit, the RA Audit etc.;

• The compilation of data mapping flows and information asset registers;

• Service ad-hoc IG spot checks on data compliance and best practice;

• Data quality checks;

• Reviews of security incidents;

• Risk assessments and privacy impact assessments.

This will protect the Trust, its staff and its patients from information risks where

the likelihood of occurrence and the consequences are significant. It will ensure the

Trust has a proactive approach to risk rather than a reactive attitude. The focus of

the risk management programme will be to determine whether the Trust’s

implemented policies and procedures are effective in:-

• Regulating the processing and sharing of personal data;

• Identifying and controlling risks to prevent potential security incidents and

data breaches from occurring;

• Testing the adequacy of the IG controls in place;

• To recommend any changes in control, where necessary;

• To act as vehicle in sharing knowledge with trained IG staff.

The IG Strategy will ensure all information assets are:-

• Identified by purpose and service area;

• Classified either as sensitive or as critical assets depending on the format

and type of information held;

• Assigned ownership to an information asset owner (IAO) who will provide

assurance on the security and use of that asset to the Trust’s SIRO (this will

determined by where it is located).


Key Responsibility

Ultimate authority over and responsible for overall direction

Oversees the information and data governance programme and makes

all strategic decisionsResponsible for establishing and shaping enterprise information

standards and policies

Executes the information and data governance policy

Supports on-going technical tasks

Table 2: The Information Asset Framework

• Given a risk score i.e. identified as low, medium or high, are supported by

the Trust’s Board and where appropriate, are considered for inclusion onto

the Trust’s Risk Register. This will be determined by how the asset is

managed and who the dependencies are in terms of other systems and

beneficiaries (either internal or external). Risks that cannot be managed by

the IAO will be expected to be escalated to senior management for e.g.

where they are not managed locally. Proposals for risk mitigation measures

will be considered by senior management who will consider whether the

risks are real and the proposals affordable and justified. Where mitigating

actions are necessary, priorities and timescales will be clarified and

monitored.

The Risk Level Matrix to be used will be:

Likelihood

Likelihood

score 1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

Table 3: The Trust’s Risk Matrix

The allocation of information asset ownership will assist the Trust with its Business

Continuity Planning requirements.

The Information Asset Management Task is a significant piece of work which will be

undertaken between 2016-2018. All information asset owners will be required to


update their Information Asset Register each time an information asset is created,

amended or replaced.

6.8.5 Projects - procurement of systems / change management processes

Any changes proposed to the way in which information is processed (collected,

stored used or disposed of) in the Trust will be considered in the context of the

IGTK requirements. All reviews and assessments will be conducted in the early

stages of any given project. The IG Strategy will ensure that there are reporting

mechanisms in place to the HIAG and to the Health Informatics Strategy Group

(HISG) where new computer systems or upgrades are proposed, computerised or

manual, that hold personal identification data (i.e. PID), including PID relating to

service users, carers or staff.

The HIAG will consider:-

• The access controls, audit trails and the monitoring of user activity;

• The arrangements for back up data, its resilience and the archiving,

retention and deletion of data;

• Confidentiality clauses in respect of third party contractual arrangements

i.e. the development, installation and maintenance of the system;

• The secure transfer of data;

• System security accreditation during the procurement process;

• The systems forensic investigative readiness procedure.

6.8.5.1 Privacy impact assessments

Privacy Impact Assessments (PIA) will be undertaken by IAOs where new

systems and processes are proposed to determine if the new technology

gives rise to any privacy concerns. This is in accordance with the ICO’s

Privacy Impact Assessment Code of Practice available at: www.ico.gov.uk

and the Trust’s Information Governance Policy for New and Changed

Systems, Processes and Services (IG10) which is published via the staff

intranet.

6.8.5.2 IT/IG risk assessments

All IAO’s procuring new systems will be required to complete an IT/IG

General Checklist Assessment to ensure it complies with current IT/IG

Practices. This risk assessment is available via the staff intranet.

6.8.6 Integrated working

The IG Strategy will take into account the need for integrated working practices

between third party organisations and departmental services. Data sharing

agreements will be used where personal identifiable information (i.e. PID) is

routinely shared between organisations and third parties and will be signed off by

the Trust’s Caldicott Guardian (i.e. the Medical Director) or an equivalent senior

member of staff. All ISAs will state the legal principles and purpose of the

agreement, the consent process, the approved method of transmission, any other

standards associated with secondary use (e.g. re-use of information, retention and

destruction requirements) and general housing keeping practices (e.g. the

administration of information requests, complaints, the media and withdrawal of

agreement terms etc.).


ISAs will not be used for adhoc or one off large transfers of personal data for e.g.

where clinical data has been shared for a one-off requirement.

6.8.7 Research

Access to clinical information on a day to day basis for research purposes will be via

the Caldicott Guardian approval procedure process with appropriate sign off by the

Trust’s Caldicott Guardian (i.e. the Medical Director) and the support of the Trust’s

Research and Development Team, where necessary.

6.8.8 Information requests

The IG Strategy will ensure there are designated roles to process all information

requests under the Freedom of Information Act 2000, the Data Protection Act 1998

(including the Access to Health Records Act 1998) and the Environmental

Information Regulations 2004 and those submitted by third parties e.g. the Police.

Responses will be co-ordinated within statutory timescales ensuring that necessary

exemptions are applied, where appropriate.

6.8.9 Management of records

Trust-wide audits on samples of corporate and clinical records will be undertaken

to establish if good record keeping and data quality standards are being achieved

as set out under the Records Management Code of Practice under s46 of the

Freedom of Information Act 2000. This will demonstrate that our patient

information is being recorded and handled in a manner that complies with the

Trusts legislative and regulatory requirements.

The audits will run for a series of months with a final report produced to show the

status of feedback. This will then feedback into the Trusts departments to facilitate

improvement and improved targeted training.

6.8.10 The management and reporting of security incidents

The Trust is very conscious of the repercussions of not managing personal data:-

• A £1,000 fine for not reporting serious security offences to the Information

• Commissioner’s Office (ICO) within 24 hours of an event occurring;

• A monetary fine of up to £500,000 by the ICO per data security offence

with respect to any potential data breaches regarding the loss, theft,

inappropriate disclosure or modification of personal data;

• A monetary fine of up to £500,000 by the ICO for misuse of personal data

regarding the use of email, fax and telephone;

• A compulsory inspection and enforcement notice by the ICO.

The IG Strategy will ensure that there are adequate security arrangements in place

for:-

• Reporting IG events or incidents across the Trust and managing risks where

appropriate via the Trust’s Datix Incident Reporting System (as per protocol

under the Incident/Near-Miss Reporting and Investigation Policy and The

Reporting of Serious IG/Cyber Incidents Policy;

• Analysing, investigating and upward reporting of events/ incidents and

recommendations to senior management;


• Dealing with Information Commissioner’s security reporting requirements;

• Ensuring all IG work plans are updated with recommendations and lessons

learned;

• Communicating IG developments and standards to staff

All incidents categorised at level 1 will be monitored in quarterly reports to the

HIAG whilst level 2 and above incidents will be escalated to key staff and once

approved reported to the ICO and DoH via the Trust’s IGTK Incident Reporting

System. For all data breaches the IG Lead will grade the severity of the incident for

sign off by the Trust’s SIRO and Caldicott Guardian.

6.8.11 Staff training

Staff training is fundamental to the success of this Information Governance

Strategy. The Trust will develop an effective induction and mandatory IG training

programme that extends beyond basic principles in confidentiality and security so

as to improve staff awareness and best practices. Staff will be informed of the

Trust’s legal obligations in terms of data processing and their own responsibilities

and rights in terms of privacy, choice and client/patient confidentiality. To ensure

the Trust achieves the 95% compliance rate as stipulated by the IGTK standards all

training sessions will be recorded on the Electronic Staff Record (ESR) and a system

employed to ensure that non-attendance is followed up by O&D.

Training Staff Type of Training Frequency

Corporate Induction IG

Training

New starters Face to face training Monthly

Core Mandatory Annual IG

Training

Existing employees Face to face training or

via the new E-learning

IG training portal

(whichever is

appropriate)

Fortnightly

Specialised IG/Risk

Management Training

SIRO, IAOs and

IAAs

Courses stipulated on

the HSCIC IG e-

learning training tool

(IGTT) will be

completed

Every 3 years

Specialist Training Specialist Teams Face to face

presentations/talks to

key staff involved in IG

matters

As and when necessary

All new starters will attend a face to face session as part of the induction process.

The IG module will cover:-

• The Importance of Information Governance;

• The Data Protection, Confidentiality and the Caldicott Principles;

• Information Risk Reporting;

• Records Management;

• Data Quality;

• Information Security;

IG refresher training will form part of the annual mandatory training programme

for all current staff.


6.8.11.1 E-learning training

All staff may now complete their annual IG mandatory training via

the Trust’s new e-learning portal at: http://e-learning/my/. The

portal caters for different learning styles and individual needs and

allows staff to complete their training at a time that is convenient

to them. Users are given appropriate site passwords and logins

once registered.

6.8.11.2 Specialist training

Staff in specialist roles across the Trust will be expected to

undertake further training as stipulated in Appendix 7 within 3

months of taking up post.

The Trust will use the national e-learning Information Governance

Training Tool (IGTT) to deliver this specialist training programme.

The tool is accessed via

https://www.igtt.hscic.gov.uk/igte/index.cfm.

Each module will be expected to be refreshed every three years.

The IG Lead will frequently check that the training has been

undertaken.

It is noted that the Health and Social Care Information Centre

(HSCIC) is the copyright owner responsible for the content and

design of the Information Governance Training Tool (IGTT). It is

not a product of the Trust and therefore any concerns or queries

with any modules will need to be raised with HSCIC via the

Information Governance Team.

The methodology and effectiveness of this training programme will

be monitored closely from evaluations collated and analysed by

O&D and the Information Governance Team.

6.8.11.3 Bespoke or departmental training

Subject to discussions with the Information Governance Team

additional bespoke training sessions is available to teams that

require more indepth training in their own area of specialism. This

will enable:-

• A greater understanding of the application of the Trust’s IG

policies and procedures;

• Provision of specific departmental advice and guidance;

• Facilitation of a more informal Q&A Session.

Training will be delivered in response to demand and serious

information security incidents.


6.8.11.4 The training needs analysis (TNA) matrix

Staff training requirements will be outlined in the Training Needs

Analysis (TNA) which will form part of the Trust’s Information

Governance Staff Training Strategy.

All staff training reports from O&D will form the basis of evidence

for compliance with the IGTK and external auditors.

6.9 Staff disciplinary

Staff are forewarned that any breaches of confidentiality for e.g. disclosing data to

unauthorised parties, the theft/loss or tampering of information, viewing records without

authority, transferring personal information electronically without appropriate encryption

or secure procedures, sharing passwords, logins and smart cards, uploading inappropriate

content onto social media, not following security protocol etc. will invoke staff disciplinary

procedures and potentially dismissal and criminal charges, where necessary. Staff will be

advised of their legal responsibilities via the Trusts IG staff training programme.

All security breaches considered serious will be reported immediately to the Information

Governance Lead, SIRO and the Caldicott Guardian.

7. Training

See paragraph 6.8.11 above.

8. Equality and diversity

The Trust is committed to ensuring that, as far as is reasonably practicable, the way we deliver

services to the public and the way we treat our staff reflects their individual needs and does not

discriminate against individuals or groups on the grounds of any protected characteristic (Equality

Act 2010). An equality assessment was undertaken. No equality and diversity issues were

identified.

9. Monitoring the compliance / effectiveness of this strategy

The monitoring and compliance of this Strategy will be responsibility of the Information

Governance Lead.

Standard/Process/Issue Monitoring and Audit

Method By Group Frequency

Compliance with the

Strategy

Is the Strategy

published

IG Lead

HIAG 2 yearly

Completion of IG training No. of staff attending

training sessions

O&D and

IG

Lead

HIAG Quarterly

Completion of the IGTK Annual reports and

final IGTK scores

IG Lead HIAG Quarterly

Compliance with

information requests

No. of requests not

responded to within

statutory timescales

IG Lead /

Health

Records

Mgr.

HIAG Quarterly

Number of IG/IT Incidents Numbers, location, IG Lead/ HIAG Quarterly/


severity, type of

incidents

Security

Mgr.

Ongoing

10. Consultation and review of this strategy

This Strategy will comply with all relevant UK and European Union legislation.

The HIAG will formally review this Strategy every two years, although the content may be reviewed

at any time if any significant changes to mandatory requirements, national guidance or the result

of any significant IG breaches or incidents results in any changes to current processes or policies.

11. Implementation of strategy (including raising awareness)

The Trust has developed a communication plan to roll out the deliverables of this

IG Strategy. The key communication tools to be used include:-

External Tools Internal Tools

• Publication Scheme

• Gateshead Trust website

• Patient leaflets

• Fair processing notice (privacy notice)

• Patient surveys

• IG articles in staff newsletters/bulletins

• IG annual staff training programme

• Policy/procedure framework

• Staff surveys

• Staff screensavers

• Staff IG alerts

This list is not exhaustive but represents a sample of communication materials.

The Trust will engage with patients and staff in the development of its information practices This

will be through the completion of anonymised patient/staff surveys where users can provide

feedback on how well they think the Trust manages their data to help improve our services.

12. References

Useful Guides/Reviews

• Privacy Impact Assessment Handbook Version 2.0 (Information Commissioner);

• The Caldicott 2 Review Department of Health September 2013;

• Data Handling Procedures in Government: Final Report June 2008.

Monitoring Bodies

• Information Commissioners Office – www.ico.gov.uk

• Ministry of Justice - http://www.justice.gov.uk/

• General Medical Council - http://www.gmc-uk.org/

• Department of Health - https://www.gov.uk/government/organisations/department-

of-health

13. Associated Documents

Information Risk Policy (IG03);

Freedom of Information Policy (IG04);

Freedom of Information Procedure (IG04a)

Records Management Policy (IG05);

Confidentiality and Data Protection Policy (IG06);

Staff Confidentiality Code of Conduct (IG06a);

Caldicott & Safe Haven Procedure (IG07);


Pseudonymisation Policy (IG08);

Clinical Photography and Audio Visual Recording of Patients – Confidentiality & Consent Policy

(IG09);

Information Governance Policy for New and Changed Systems, Processes and Services (IG10);

• General IG Checklist (IG10a);

• IT Systems Information Governance Checklist (IG10b);

• Privacy Impact Assessment Procedure (IG10c);

• Third Party Due Diligence Assessment (IG10d);

• Remote Access Risk Assessment (IG10e);

• Information Governance Contracts Guidance (IG10f);

The Reporting of a Serious IG/Cyber Incident Policy (IG11);

The Re-Use of Public Information Policy (IG12);

Information Governance Staff Training Strategy (IG14);

Data Quality Strategy (IG15);

Records Life Cycle Strategy (IG16);

Confidentiality Audit Procedure (IG17);

The Caldicott Guardian Procedure (for use of PID for secondary purposes) (IG18);

IT and Information Security Policy (OP6B);

Internet, Intranet and Email Acceptable Use Policy (OP17);

Anti-Virus Policy (OP58).


Appendix 1: Roles and Accountability Structure


Appendix 2: Committee/Group Structure


Appendix 3: Terms of Reference for the HIAG

Health Informatics Assurance Group (HIAG)

Terms of Reference (TOR)

Feb 2016 (for Review on 9 Feb 2018)

Name of Steering Group: Health Informatics Assurance Group (HIAG)

Purpose of the HIAG:

The Health Informatics Assurance Group (HIAG) has been established to ensure that the Trust has a consistent

and robust approach for the co-ordination of its informatics agenda and its IG work streams requirements.

In adherence to the conditions of the Data Protection Act 1998 and the revised Caldicott principles, the Trust

recognises that access to patient information is an essential part in providing excellent patient care. Where

conflicting priorities arise between the need to share information and the need to protect patient

confidentiality an appropriate balance will be struck between openness and the Trust’s legal obligations of

accountability and safeguarding data. The Health Informatics Assurance Group will be the accountable body for

such decisions.

The HIAG will report to the Audit Committee who will then report into the Trust Board. The Steering Group is

responsible for ensuring that there are effective policies and management arrangements covering all aspects of

Information Governance in line with the Trust’s Information Governance Strategy and Procedures to ensure the

Trust complies with:-

- Openness

- Legal Compliance

- Information Security

- Information Quality Assurance

Objectives and Key Tasks

• To provide the responsible Director with expert advice on Data Protection and Confidentiality, Records

Management (Corporate and Clinical), IT Security and Data Quality.

• To ensure there is top level awareness and support for IG resourcing and the implementation of

improvements.

• To support the Trust’s Caldicott Guardian in his advisory and facilitative capacity to provide assurance

on all clinical, confidentiality and data sharing matters involving third parties.

• To liaise with the other Trust Steering Groups, Committees and Boards in order to promote and

integrate IG and CQC standards and to provide a focal point for the discussion of information

governance issues.

• To provide direction and support to the development of Trust-wide Information Governance standards,

policies, and staff training programmes in order to promote effective information governance.

• To receive reports from the following dedicated working groups, in order to co-ordinate the activities

of staff allocated IG responsibilities and progress initiatives:-

o Data Quality and Secondary Use Strategy Group

o Systems Management & Development Group

o Records Management Group

• To ensure annual assessments, audits and improvement plans are documented and undertaken by the

dedicated teams for sign off by the Trust Board or an appropriate senior member of staff.


• To provide support to the SIRO in managing the strategic risks associated with the Trusts Information

Asset Registers and to ensure actions plans are monitored where gaps have been identified. All actions

will be agreed to mitigate the risk and where appropriate will be added to the Trust Risk Register.

• To ensure that the Informatics Risk Register is maintained and regularly reviewed with any high risk

exceptions reported to the HIAG Members as and when necessary.

• To ensure all existing or proposed databases and data flows regarding corporate and patient

identifiable information comply with the Data Protection Act and the Caldicott Principles. The group

will always in the first instance, promote the use of pseudonymised data flows wherever possible to

restrict access to patient identifiable data.

• To receive, consider and assess reports on all security incidents, complaints and claims relating to

breaches in data confidentiality and IT security and to recommend appropriate action, where possible.

The Group will determine when incidents of a serious nature are to be reported to the ICO and the

HSCIC via the IGTK.

• To monitor the Trusts performance in terms of openness and compliance with Subject Access Requests,

Freedom of Information requests and Environmental Information Regulation Requests, including the

Publication Scheme.

• To monitor the clinical recording and the associated risk of poor data quality across all corporate and

clinical records to ensure the Trust is compliant with the Records Management Code of Practice under

section 45 of the Freedom of Information Act 2000.

• To ensure the approach to information handling is communicated to all staff and made available to the

public.

• To ensure appropriate IG training is made available and completed by all staff, including those in

specialised roles, as and when necessary to support their duties whilst at the Trust.

• To oversee the development and review of protocols governing the sharing and disclosure of patient

information across organisational boundaries.

• To review new processes of how personal identifiable data will be managed when new systems or

system processes are reviewed and approved. The Group will promote the use of privacy impact

assessments to ensure the principles of the Data Protection Act are not compromised by any change of

service or access to a third party.

• To complete the submission of the IG Toolkit baseline assessment in July and October with final

assessments published by 31st

March of each year.

Membership of the HIAG

Membership of the HIAG is stipulated in Appendix 3a.

Meetings

• The HIAG will meet on a bi-monthly basis, with the Director of Finance and Informatics to chair the

Group.

• Expected attendance is 80% of meetings by members or a nominee.

• The group will be deemed quorate when the SIRO, Clinical Safety Officer or Caldicott Guardian is

available, with either the Deputy Director of Informatics or the Head of Information and Data Quality;

in addition to 2 other members or their nominated representatives. The minimum attendance to be

quorate will be 4.

Administration

• The HIAG will have a standing agenda with specific topics added, as authorised by the Chair of the

Group. The standing items to cover will be:-

o Information Governance issues

o Information Requests - to cover all FOI, DP and EIR requests

o Risk reporting


o Incident reporting

o ICT

o Records Management

o Data Quality

o Systems Management

• The agenda and any paper attachments will be circulated at least 3 working days prior to the meeting.

• Papers tabled on the day will only be accepted for discussion only, unless agreed by the Chair.

• The minutes and agreed actions will be documented and circulated to all attendees within 5 working

days.

• Attendees will be given 5 working days to query details and submit any comments, after which the

minutes will be considered completed until ratified at the next meeting.

Reporting Structure

• All HIAG reports will feed into the Audit Committee.

Version Date Review Date Summary of Changes Author

V1 None applicable Lauren Hamill –

IG Officer

V2 03/03/2015 03/03/2017 Changes in the group structures. Marie Galloway –

IG Lead

V3 01/06/2015 01/06/2017 Minor changes Marie Galloway –

IG Lead

V4 09/02/2016 9/02/2016 Added the Records Management Group

to ToR

Marie Galloway –

IG Lead


Appendix 3a: Membership of the HIAG

Membership of the HIAG includes the following job roles:-

Role Nominated Person

Director of Finance and Informatics John Maddison

Information Governance Lead /Deputy Caldicott Guardian Marie Galloway (Interim)

Caldicott Guardian Keith Godfrey

Clinical Lead for Informatics/ Clinical Safety Officer Rob Allcock

Deputy Director of Informatics Nick Black

Head of Information and Data Quality Michelle Conroy

Head of Risk Management Sue Winn

Health Records Manager Mark Smith

Head of IT Mhairi Rooney

IT Directory and Security Manager Derek Prudhoe


Appendix 4: Information Governance Toolkit Controls Summary

No. Description

Information Governance Requirements

101 There is an adequate Information Governance Management Framework to support the current and

evolving Information Governance agenda.

105 There are approved and comprehensive Information Governance policies with associated strategies

and/or improvement plans.

110 Formal contractual arrangements that include compliance with information governance requirements

are in place with all contractors and support organisations.

111 Employment contracts which include compliance with information governance standards are in place for

all individuals carrying out work on behalf of the organisation.

112 Information Governance awareness and mandatory training procedures are in place and all staff are

appropriately trained.

Confidentiality and Data Protection Assurance

200 The Information Governance agenda is supported by adequate confidentiality and data protection skills,

knowledge and experience which meet the organisation’s assessed needs

201 The organisation ensures that arrangements are in place to support and promote information sharing for

coordinated and integrated care, and staff are provided with clear guidance on sharing information for

care in an effective, secure and safe manner

202 Confidential personal information is only shared and used in a lawful manner and objections to the

disclosure or use of this information are appropriately respected

203 Patients, service users and the public understand how personal information is used and shared for both

direct and non-direct care, and are fully informed of their rights in relation to such use.

205 There are appropriate procedures for recognising and responding to individuals’ requests for access to

their personal data.

206 Staff access to confidential personal information is monitored and audited. Where care records are held

electronically, audit trail details about access to a record can be made available to the individual

concerned on request.

207 Where required, protocols governing the routine sharing of personal information have been agreed with

other organisations.

209 All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and

Department of Health guidelines.

210 All new processes, services, information systems, and other relevant information assets are developed

and implemented in a secure and structured manner, and comply with IG security accreditation,

information quality and confidentiality and data protection requirements.

Information Security Assurance

300 The Information Governance agenda is supported by adequate information security skills, knowledge and

experience which meets the organisation’s assessed needs.

301 A formal information security risk assessment and management programme for key information assets

has been documented, implemented and reviewed.

302 There are documented information security incident / event reporting and management procedures that

are accessible to all staff.

303 There are established business processes and procedures that satisfy the organisation’s obligations as a

Registration Authority.

304 Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users

comply with the terms and conditions of use.

305 Operating and application information systems (under the organisation’s control) support appropriate

access control functionality and documented and managed access rights are in place for all users of these

systems.

307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s

information risk policy and information risk management strategy.


308 All transfers of hardcopy and digital person identifiable and sensitive information have been identified,

mapped and risk assessed; technical and organisational measures adequately secure these transfers.

No. Description

309 Business continuity plans are up to date and tested for all critical information assets (data processing

facilities, communications services and data) and service specific measures are in place.

310 Procedures are in place to prevent information processing being interrupted or disrupted through

equipment failure, environmental hazard or human error.

311 Information Assets with computer components are capable of the rapid detection, isolation and removal

of malicious code and unauthorised mobile code.

313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks

operate securely.

314 Policy and procedures are in place to ensure that mobile computing and teleworking are secure.

323 All information assets that hold, or are, personal data are protected by appropriate organisational and

technical measures.

324 The confidentiality of service user information is protected through use of pseudonymisation and

anonymisation techniques where appropriate.

Clinical Information Assurance

400 The Information Governance agenda is supported by adequate information quality and records

management skills, knowledge and experience.

401 There is consistent and comprehensive use of the NHS Number in line with National Patient Safety

Agency requirements.

402 Procedures are in place to ensure the accuracy of service user information on all systems and /or records

that support the provision of care.

404 A multi-professional audit of clinical records across all specialties has been undertaken.

406 Procedures are in place for monitoring the availability of paper health/care records and tracing missing

records.

Secondary Use Assurance

501 National data definitions, standards, values and validation programmes are incorporated within key

systems and local documentation is updated as standards develop.

502 External data quality reports are used for monitoring and improving data quality.

504 Documented procedures are in place for using both local and national benchmarking to identify data

quality issues and analyse trends in information over time, ensuring that large changes are investigated

and explained.

505 An audit of clinical coding, based on national standards, has been undertaken by a NHS Classifications

Service approved clinical coding auditor within the last 12 months.

506 A documented procedure and a regular audit cycle for accuracy checks on service user data is in place.

507 The completeness and validity check for data has been completed and passed.

508 Clinical/care staff are involved in validating information derived from the recording of clinical/care

activity.

510 Training programmes for clinical coding staff entering coded clinical data are comprehensive and

conform to national standards.

Corporate Assurance

601 Documented and implemented procedures are in place for the effective management of corporate

records.

603 Documented and publicly available procedures are in place to ensure compliance with the Freedom of

Information Act 2000.

604 As part of the information lifecycle management strategy, an audit of corporate records has been

undertaken.

Information Governance Strategy v4

Appendix 5: The Policy and Procedure IG Framework

Framework 100 Series

IG Management

200 Series

Confidentiality/Data

Protection Assurance

300 Series

Information Security

Assurance

400 Series

Clinical

Information

Assurance

500 Series

Secondary User

Assurance

600 Series

Corporate

Information

Assurance

● InformaOon

Governance

Strategy

●InformaOon

Governance Staff

Training Strategy

●ConfidenOality and Data

Protection Policy

●Privacy Impact

Assessment Policy and

Procedures

●InformaOon Governance

Policy for New and

Changed Systems,

Processes and Services

●Staff Confidentiality

Code of Conduct

●The CaldicoQ and Safe

Haven Procedure

●Incident ReporOng

Policy and Procedures

●ReporOng of a Serious

Breach/Cyber Incident

Policy

●Subject Access Request

(SAR) Policy/Procedures

●Protocol for Dealing

with Police Requests for

Information and Evidence

●IT Strategy

●IT and InformaOon

Security Policy

●Internet, Intranet

and Email Policy

●IM&T Disaster

Recovery Policy/Plan

●InformaOon Risk

Policy

●Public Wi-Fi Policy

●PseudonymisaOon

Policy

●RA Policy and

Procedures

●BC Policy / BC

Strategy

●Change Control

Policy

●AnO-Virus Policy

●RouOne Monitoring

of Internet Procedure

●DeleOon of NT/Email

Accounts Procedure

●Data Protector

Configuration

Procedure

●Clinical

Recording and AV

Recording of

Patients

●Clinical

Recording Policy

●Clinical Audit

Policy

●Clinical Coding

Policy

●Data Quality

Strategy/Policy

● Freedom of

Information

Policy

●Freedom of

Information

Procedures

●Re-Use of

Information

Policy

●Records

Management

Policy

●Record Lifecycle

Strategy

●IG Improvement

Plan

●IG Training and

●ICO DPA RegistraOon

●Fair Processing NoOce

●InformaOon Sharing

●ICT Assurance Plan

●Remote Working

Technical Spec

●Annual Clinical

Audit

●Data Quality

Implementation

Plan

●FOI Log

●Record

Management

Strategies / Policies and Procedures /

Related

Documents


Communication

Plan

●IG Staff Training

Log

●IG contract

clauses

●IG staff intranet

webpages

●IG Staff

Handbook

● IG Patient

Survey

●Annual IG

Audits/Spotchecks

Protocol and Agreement

Template

●InformaOon Sharing

Agreement Log

●CaldicoQ Approval Log

●SAR Log

●PseudonymisaOon

Plan

●RA Plan

●InformaOon Asset

Registers

● Data Mapping

Registers

●Security Incident Log

●Smart Card Register

●BC Plans

●SSSPs

●Risk Assessments

●New IT Request

Procedure

●Data Quality

Audit

Procedures

●Annual Clinical

Record Audit

●Annual

Corporate Record

Audit

●Health

Informatics

Assurance Group

(HIAG)

●Health

Informatics

Strategy Group

(HISG)

●Gateshead

Information

Network (GIN)

●Audit

Committee

●Health InformaOcs

Assurance Group (HIAG)

●An appointed CaldicoQ

Guardian

●The Systems

Management and

Development Group

●Risk Management

Committee

●Emergency Planning

Response and

Recovery Committee

(EPPR)

●An appointed SIRO

●Appointed IAOs and

IAAs

●SafeCare Board

●Clinical Audit

Committee

●Mortality and

Morbidity

Steering Group

(MMSG)

●Serious Incident

Panel

●Data Quality

and Secondary

User Group

●Medway User

Group

●Health

Informatics

Assurance Group

(HIAG)

●Records

Management

Terms of

Reference Group

PPPP Committees/ Working

Groups/Roles


Appendix 6: The Information Governance Work Plan

IG Deliverable IG Requirement Planned

Activity

An Information Governance

Framework

A framework of policies and procedures will be maintained in respect of data security, patient confidentiality, data

protection, freedom of information, data quality and records management. Most existing policies are due for a

revision in March 2017.

Annually

Publication Scheme As per s19 of the Freedom of Information Act 2000, a Publication Scheme will be maintained and reviewed annually

to ensure the content and standards of publication are still appropriate and not out of date. This will establish our

publication standards and support the reputation of the Trust as being an open and accessible organisation.

Annually

Completion of the National

IG Toolkit Assessment

A continual review and refresh of existing evidence, policies and procedures and existing plans will be required to

achieve a level 3 target for the IGTK.

Ongoing -

March, July and

October of each

year


Training Programme

A review of all training programmes and materials will be undertaken frequently to evaluate if course content is still

relevant and applicable. The roll out of the Trusts staff information governance training programme will cover:-

• Induction – new starters to the Trust;

• Refresher mandatory training for current staff;

• Volunteers/Cadet training;

• Tailored face to face training for specific service requirements;

• Role specific training for e.g. the SIRO, the Caldicott Guardian etc.

An e-learning training tool will be rolled out to assist with the mandatory training programme.

Quarterly

Management of Security

Incidents

A review of security incidents will be undertaken to determine where plans of action are required. Quarterly reports

will review location and types of incidents for trend analysis.

Ongoing

Data Mapping and

Information Asset Registers

All current data mapping and information asset registers that map the information assets and risks of each service

area will be refreshed or completed, where applicable. Security incident reports produced by Datix will feed into this

programme. This is a large piece of work expected to be undertaken between 2015-2016.

Ongoing


Communication Programme

The Trust will develop a communication programme to raise the profile of information governance in the Trust. This

will be done through the dissemination of staff emails, divisional/corporate newsletters, articles via the QE Weekly,

team meetings and the staff intranet etc.

Periodically


Hub – Website Presence

An Information Governance hub will be maintained to disseminate clear advice and guidance through the Trusts

website, in terms of policies, procedures, staff leaflets, staff training programmes, awareness posters etc. All

stakeholders will be made aware of the importance of holding accurate data and how this should be managed so

that the appropriate care or service can be continually improved.

Periodically

IG Deliverable IG Requirement Planned


Activity

Third Party Contracts A contract supplier list will be reviewed annually by the Procurement Team and the IG Lead/Officer to ensure all

confidentiality clauses are inclusive, and those who do have access to the Trust’s data are risk assessed before any

request is granted. All auditing arrangements will be suitably identified and carried out.

Annually

IG Employment Contract

Clauses

Staff recruitment requirements will be addressed at the recruitment stage with employment contracts containing a

DP/confidentiality clause. For all casual staff a confidentiality statement will be signed. The information security

expectations of staff will be included in their job descriptions and appropriate job definitions.

Annually

Information Governance

Staff Survey

The Trust will publish a staff information governance survey each November to identify public feedback to help

identify staff training needs.

Annually

The Implementation of a

Data Quality Programme

A data quality programme will be explored to ensure the Trust’s data is complete and accurate within our

information systems to support our operational and clinical decision-making. Where possible, the validation of data

entry and data analysis at input stage will be incorporated and maintained. The Trusts approach in the collection

and use of data will be consistent.

Annually

An Audit Compliance

Monitoring Programme

The Trust will undertake appropriate information governance spot checks, compliance reports and audits and risk

assessments to identify where gaps exist in the framework. A work plan has been devised for this.

Annually

Fair Processing Notice A Fair Processing Notice will be published on the Trusts external website to inform service users of how their data

will be held, processed and shared. This will be reviewed annually.

Annually

Procurement/Development

of New IT Systems

Any new proposed information system, computerised or manual, that holds personal identification data (i.e. PID),

including PID relating to service users, carers or staff, will be risk assessed by the Information Governance Team

before being procured and implemented by the Trust.

Ongoing

Collaboration and

Information Sharing

A review of all Information Sharing Agreements will be undertaken annually to ensure clear governance

arrangements for the management of collaborative environments and networks have not expired or terminated. All

agreements will have a clear clarification of roles and responsibilities, auditing and security arrangements.

Annually

Information Governance Strategy v4

Appendix 7: The Trust’s IG Specialist Training Programme

All staff in specialist roles are expected to undertake further training within 3 months of taking up their

post. The modules to be completed are stipulated below and can be accessed via the HSCIC IG Training Tool

at: - https://www.igtt.hscic.gov.uk/igte/index.cfm

Role Information Governance Toolkit Training Frequency

All Staff Regardless

of Role

Mandatory Training – Introduction to Information Governance Every year

SIRO Introduction to Information Governance

NHS Information Risk Management: Foundation

NHS Information Risk Management for SIROs and IAOs

Secure Transfers of Personal Data

Information Security Guidelines

3 years

Caldicott Guardian Introduction to Information Governance

The Caldicott Guardian in the NHS and Social Care

Patient Confidentiality

3 years

Trust Secretary (who

currently covers

corporate records)

Introduction to Information Governance




Records Management and the NHS Code of Practice


3 years

Information

Governance

Officer/Information

Governance

Assistant



Information Security Management



Access to Health Records


Business Continuity Management

3 years

Information Security

Manager



Password Management






3 years

Head of Information

and Data Quality





3 years

Health Records

Manager and SAR

Handlers


Records Management and the NHS Code of Practice

Records Management in the NHS

Access to Health Records


The Importance of Good Clinical Record Keeping

3 years

RA Manager Introduction to Information Governance

3 years

Clinical Manager Introduction to Information Governance

The Importance of Good Clinical Record Keeping

3 years


Role Information Governance Toolkit Training Frequency

IAO Introduction to Information Governance



3 years

IAA Introduction to Information Governance



3 years